The Hacker News — Cyber Security, Hacking, Technology News

Do you own a custom domain or a blog under the wordpress.com domain name?

If yes, then there is good news for you.

WordPress is bringing free HTTPS to every blog and website that belongs to them in an effort to make the Web more secure.

WordPress – free, open source and the most popular a content management system (CMS) system on the Web – is being used by over a quarter of all websites across the world, and this new move represents a massive shift over to a more secure Internet

WordPress announced on Friday that it has partnered with the Electronic Frontier Foundation's "Let's Encrypt" project, allowing it to provide reliable and free HTTPS support for all of its customers that use custom domains for their WordPress.com blogs.

Now every website hosted on wordpress.com has an SSL certificate and will display a green lock in the address bar.

"For you, the users, that means you'll see secure encryption automatically deployed on every new site within minutes. We are closing the door to unencrypted web traffic (HTTP) at every opportunity," Wordpress said in its blog post.

HTTPS has already been available for all sub-domains registered on wordpress.com, but with the latest update, the company will soon offer free SSL certs for its custom domains that just use the WordPress backend.

In short, users with custom domains (https://abcdomain.com) will now receive a free SSL certificate issued by Let's Encrypt and on behalf of Wordpress, and have it automatically deployed on their servers with minimal effort.

Until now, switching web server from HTTP to HTTPS is something of a hassle and expense for website operators and notoriously hard to install and maintain it.

However, with the launch of Let's Encrypt, it is now easier for anyone to obtain Free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates for his/her web servers and set up HTTPS websites in a few simple steps.

Now WordPress is also taking advantage of this free, open source initiative for its websites.

So you might have a question in your mind:

What do I need to do to activate HTTPS on my WordPress blog?

You do not need to worry about this at all. WordPress.com is activating HTTPS on all of its millions websites without having you to do anything.

Let's Encrypt is trusted and recognized by all major browsers, including Google's Chrome, Mozilla's Firefox and Microsoft's Internet Explorer, so you need not worry about its authenticity.

Let's Encrypt has achieved another big milestone by issuing 1 million free Transport Layer Security (TLS) SSL Certificates to webmasters who wish to secure the communications between their users and domains.

Let's Encrypt– operated by the Internet Security Research Group (ISRG) – is an absolutely free, and open source certificate authority recognized by all major browsers, including Google's Chrome, Mozilla's Firefox and Microsoft's Internet Explorer.

It is just three months and five days since Let's Encrypt launched a beta version of the service, and the group has crossed 1 Million certificates in use across the Web, Let's Encrypt said in a blog post on Tuesday.

Backed by companies including EFF, Akamai and Mozilla, the Let's Encrypt project started offering Free HTTPS certs to everyone from last December.

Let's Encrypt certificates are configured with cross-signatures from SSL cert provider IdenTrust, making its free certs trustworthy and allowing users to browse more securely on the Internet.

With Let's Encrypt, it is very easy for anyone to set up an HTTPS website in a few simple steps (Here's How to Install Free SSL Cert).Here's what Let's Encrypt says in its post:

"Much more work remains to be done before the Internet is free from insecure protocols, but this is substantial and rapid progress. It is clear that the cost and bureaucracy of obtaining certificates was forcing many websites to continue with the insecure HTTP protocol, long after we've known that HTTPS needs to be the default.

We're very proud to be seeing that change, and helping to create a future in which newly provisioned websites are automatically secure and encrypted."

So, now it's time for the Internet to take a significant step forward towards security and privacy. With Let's Encrypt, the team wants HTTPS becomes the default and to make that possible for everyone, it had built Let's Encrypt in such a way that it is easy to obtain and manage.

Let's Encrypt has opened to the public, allowing anyone to obtain Free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates for their web servers and to set up HTTPS websites in a few simple steps (mentioned below).

Let's Encrypt – an initiative run by the Internet Security Research Group (ISRG) – is a new, free, and open certificate authority recognized by all major browsers, including Google's Chrome, Mozilla's Firefox and Microsoft's Internet Explorer.

The Free SSL Certification Authority is now in public beta after testing a trial among a select group of volunteers.

How to Renew Let's Encrypt Free SSL Certificate: It is important to note that the beta version of Let's Encrypt issues certificates that expire after 90 days. So, to renew your SSL certificate, you need to run the letsencrypt-autoscript again after expiration.

FREE HTTPS Certificates for Everyone!

So, now it's time for the Internet to take a significant step forward in terms of security and privacy. With Let's Encrypt, the team wants HTTPS becomes the default and to make that possible for everyone, it had built Let's Encrypt in such a way that it is easy to obtain and manage.

"There's a reward going for anyone who can find a security hole in the service," the team wrote in a blog post. "We have more work to do before we're comfortable dropping the beta label entirely, particularly on the client experience."

"Automation is a cornerstone of our strategy, and we need to make sure that the client works smoothly and reliably on a wide range of platforms. We'll be monitoring feedback from users closely, and making improvements as quickly as possible."

Let's Encrypt had signed its first free HTTPS certificate in September, and its client software emerged in early November. Since then the team has been finding flaws in their systems before going public.

Yes, Let's Encrypt is now one step closer to its goal of offering Free HTTPS certificates to everyone.

Let's Encrypt – the free, automated, and open certificate authority (CA) – has announced that its Free HTTPS certificates are Now Trusted and Supported by All Major Browsers.

Let's Encrypt enables any website to protect its users with free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates that encrypt all the Internet traffic passed between a site and users.

Not only free, but the initiative also makes HTTPS implementation easier for all website or online shopping site owner to ensure its users that their browser activities and transactions are safe from snoopers.

Let's Encrypt issued its first free HTTPS certificate last month and was working with other major browsers to recognize its certificate as a trusted authority.

Let's Encrypt achieved a New Milestone

Let's Encrypt has received cross-signatures from SSL cert provider IdenTrust, so it can now begin offering its Free HTTPS certificates more widely to websites, allowing users to browse more securely on the Internet.

The Free Certificate Authority (CA) is hosting a Demonstration website at https://helloworld.letsencrypt.org/ where one of its newly accepted certificates is working in the real world without throwing an Untrusted Error Warning in Mozilla, IE, Safari, Chrome and the like.

However, Let's Encrypt will begin issuing its Free HTTPS certificates in November.

The Open Source Certificate Authority (CA) is run by the Internet Security Research Group (ISRG) and backed by the Electronic Frontier Foundation (EFF), Mozilla, Cisco, and Akamai, among others.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Last fall the non-profit foundation EFF (Electronic Frontier Foundation) launched an initiative called Let's Encrypt that aimed at providing Free Digital Cryptographic Certificates (TLS) to any website that needs them.

Today, Let's Encrypt – a free automated Open-source Certificate Authority (CA) – has signed its first certificate, hitting what it calls a major milestone to encrypt all of the Web.

Let's Encrypt enables any Internet site to protect its users with free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates that encrypt all the data passed between a website and users.

Not just free, but the initiative also makes HTTPS implementation easier for any website or online shopping site owner in order to ensure the security of their customers' data.

"Forget about hours (or sometimes days) of muddling through complicated programming to set up encryption on a website, or yearly fees," EFF explains. "Let’s Encrypt puts security in the hands of site owners."

The first certificate signed by Let's Encrypt is currently available only to beta-testers though anyone can check out the CA's first certificate on the group's website, which is issued for helloworld.letsencrypt.org.

Once clicked, the above HTTPS link may direct you to an SSL certificate error. It's because your browser does not trust the certificate authority right now.

"Let's Encrypt has not yet been added as a trusted authority to the major browsers (that will be happening soon)," the site explains. "So for now, you'll need to add the ISRG root certificate yourself. Specifics will depend on your browser. In Firefox, just click the link."

Sign-Up Now for Participating

Website owners who are interested in the beta testing phase can sign-up and submit their domain names for consideration.

Though major browsers do not yet recognize the certificate as a trusted authority, the Let's Encrypt team is working with Google (for Chrome), Microsoft (for Edge), Apple (for Safari), and Mozilla (for Firefox) to make it happen.

So, if everything goes well, the certificate will soon be available for everyone to use by the end of November 2015.

Securing the Internet with Let's Encrypt

Let's Encrypt is an initiative run by the Internet Security Research Group (ISRG) and backed by the EFF, Mozilla, Cisco, and Akamai, among others.

Let's Encrypt, a project aimed to provide free-of-charge and easier-to-implement way to obtain and use a digital cryptographic certificates (SSL/TLS) to secure HTTPS website, is looking forward to issue its first digital certificates next month.

With Let's Encrypt, any webmaster interested in implementing HTTPS for their services can get the certificates for free, which is a great move for encouraging people to encrypt their users’ connections to their websites.

Generally, the process of implementation of an SSL certificate, including the need to obtain and install a certificate, is complicated for most web developers as it sounds.

In most cases, the cost related issues force web administrators to give up on using encrypted connections.

However, the goal of the Let's Encrypt project is to simplify this certificate implementation process, meanwhile reducing the cost for operators by not needing them to pay for security.

"We will issue the first end entity certificates under our root under tightly controlled circumstances," the official announcement says. "No cross-signature will be in place yet, so the certificates will not validate unless our root is installed in client software."

The Let's Encrypt authority will soon provide browser-trusted certificates through a publicly documented API (Application Program Interface) that any webmaster or website owner can implement.

Informal tests conducted by the researchers showed that it often takes 1-3 hours for a webmaster to install a certificate.

Lets Encrypt is funded by the Internet Security Research Group (ISRG), a new California-based public-benefit corporation. The project is going to enter its soft-launch stage next month and will be available for the general public in September this year.

So, very soon a certificate can be obtained for free-of-cost. However, an extended validation (EV) SSL certificates can cost you up to $1,000 (approx. £640).

Google is ready to give New Year gift to the Internet users, who are concerned about their privacy and security. The Chromium Project's security team has marked all HTTP web pages as insecure and is planning to explicitly and actively inform users that HTTP connections provide no data security protections.

There are also projects likeLet's Encrypt, launched by the non-profit foundation EFF (Electronic Frontier Foundation) in collaboration with big and reputed companies including Mozilla, Cisco, and Akamai to offer free HTTPS/SSL certificates for those running servers on the Internet at the beginning of 2015.

This is not the first time when Google is taking initiative to encourage website owners to switch to HTTPS by default. Few months ago, the web Internet giant also made changes in its search engine algorithm in an effort to give a slight ranking boost to the websites that use encrypted HTTPS connections.

"We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure," the team writes in its blog post. The post continues, "the goal of this proposal is to more clearly display to users that HTTP provides no data security."

"We all need data communication on the web to be secure (private, authenticated, untampered). When there is no data security, the UA should explicitly display that, so users can make informed decisions about how to interact with an origin."

Users always compromise between their security and the flexibility/freedom while browsing the Internet. Now when I talk about Security, it means to reduce and lessen the online attack vectors, which generally minimizes our freedom to use some or more features.

The security team also remarks that HTTPS traffic usually produces a change to the user interface notification like new address bar indicators for the various browsers, yet insecure HTTP traffic does not. The security indicators and warnings are supposed to protect users from site-forgery attacks, such as man-in-the-middle attacks or 'phishing' sites.

"We know that people do not generally perceive the absence of a warning sign," the Google Chome Security Team wrote. "Yet the only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security: when the origin is transported via HTTP."

The researchers' team suggests that browsers instead define three basic sates of transport layer security:

More specifically, Google is encouraging user agent (UA) vendors to take a phased approach to implementing these changes given the needs of their users and their product design constraints.

"Generally, we suggest a phased approach to marking non-secure origins as non-secure," the team wrote. "For example, a UA vendor might decide that in the medium term, they will represent non-secure origins in the same way that they represent Dubious origins. Then, in the long term, the vendor might decide to represent non-secure origins in the same way that they represent Bad origins."

This latest move by the search engine giant could push more sites to HTTPS by default, because the more encrypted your website traffic is, the better it will be trusted by user and prioritize in the Google's search engine result. The post says that Google will "intend to devise and begin deploying a transition plan for Chrome in 2015."